Cowboys of the digital frontier
A new generation of bounty hunters seek financial rewards for their cyber efforts.
Hunched over laptops in a small room in a downtown hotel in Vancouver, they’re unlikely looking bounty hunters. No guns, no handcuffs and no bad guys in sight.
Instead, their prey is lurking hidden in the computer, software bugs that can be exploited by hackers intent on cracking supposedly secure websites. For two days at the CanSecWest security conference earlier this year in Vancouver, a steady parade of security experts attacked everything from Apple’s Safari, Microsoft’s Internet Explorer and other web browsers, to Adobe’s Flash.
By the end of the two days, they had collectively racked up close to $ 1 million. It wasn’t the ill- gotten gains of black- hat hackers, but instead prize money awarded by companies to white- hat hackers who search out bugs in software — and by doing so help companies make the software more secure. ( The term “black hat” comes from old westerns where the bad guys usually wore black hats and the good guys wore white ones.)
“These websites are already under attack,” said Jacob Hansen, CEO and co- founder of CrowdCurity, a California- based start- up that provides companies with a platform for crowdsourcing security testing, with rewards programs.
“What you do by creating a bounty program or a reward program is you are really creating a communications channel for the good guys out there.
“They can use the communications channel to identify security issues and then earn a reward.”
It also heightens their stature in the security community. Getting paid by a company like Google or Microsoft for uncovering a major glitch means more than cash: it’s caché.
“They are able to put it on their CV, they tweet about it, blog about it, they’re recognized within the community for being a skilled security guy,” said Hansen.
Rewards can be lucrative
Vancouver’s Bex. io, which provides a software platform for bitcoin exchanges, is among companies that pay a bug bounty to white- hat hackers to help improve their security. “The general idea of a bug bounty is that you put your software up to attack,” said Kris Constable, in charge of Bex. io’s operations and security. “Most software that exists today is attacked by malicious people. “The idea of a bug bounty is to create a model where people can use those powers for good. Instead of using that vulnerability against you, they are rewarded for finding it.
“Most major companies now are offering bug bounties.”
With bitcoin exchanges a potentially lucrative target for hackers, the stakes are high and Bex. io has an ongoing bounty program, with rewards paid in bitcoins.
Payoffs vary, and they can be lucrative.
Microsoft’s bounty program pays up to $ 100,000 for “truly novel exploitation techniques” in attacks on the latest version of its operating system.
Earlier this year, Google expanded its vulnerability reward program to include all its Chrome apps and extensions, offering rewards ranging from $ 500 to $ 10,000 US depending on the severity of the vulnerability, and their potential use to hackers.
Facebook offers a minimum $ 500 reward to white- hat hackers who uncover security bugs, with no maximum specified, and payments based on the severity and creativity of the exploit.
Late last year, a Brazilian web security researcher Reginaldo Silva found a Facebook vulnerability that could have been used by hackers. Within three- and- a- half hours of getting Silva’s report, Facebook had a short- term fix live and it later paid a $ 33,500 US bounty to Silva.
According to Facebook it has paid out more than $ 2 million since it started its bug bounty program in 2011. In 2013, it paid out a total of $ 1.5 million to 330 researchers worldwide.
Easy, an online marketplace for handmade and vintage items, also offers a minimum $ 500 reward, with higher payouts depending on the bug found.
CEOs held accountable
While Internet security was once shrouded in secrecy, with companies preferring to simply assure their customers and users that their applications are secure, that “security through obscurity” viewpoint is coming under increasing criticism.
No sooner do companies issue such reassurances than news of another major breach breaks. Most recently, eBay warned all its users to change their passwords after hackers accessed a database with customers’ names, encrypted passwords and other personal data.
And blaming hackers is no longer enough — now, not only IT departments but CEOs are being held accountable by customers and by shareholders.
Target president and CEO Gregg Steinhafel stepped down earlier this year, his departure hastened by a massive security breach in which hackers accessed personal and financial data — including credit and debit card information — for more than 40 million customers.
Companies that use crowdsourcing to test their software say they aren’t making themselves more vulnerable to attack: hackers are testing all the time, they’re just not sharing their discoveries with their victims.
“There are two schools here, the new school and the old school,” said Hansen. “In the old school they want to hide everything and not be open and transparent around potential security issues.
“The new school realizes they need to interact with the ( security) community. Nobody is 100 per cent secure, but the best way to ensure you are as secure as you can be is to interact with the community.”
CrowdCurity lets companies set up their own bug bounty program on its website, with rewards ranging from $ 1,000 for a high critical bug, to $ 300 for a medium and $ 50 for a bug judged to be not so critical. CrowdCurity has 1,000 testers from all over the world who can choose to take the challenge and see if they can uncover glitches that could leave a website vulnerable to attack.
Displaying an assurance of security doesn’t guarantee a website is secure anymore and Hansen thinks it won’t be long before bug bounty programs will become standard — meaning consumers will expect such testing. Bug bounty programs may even be touted by marketing and PR departments, hoping to convince users they’re serious about security.
“It will be a requirement for users of the website that the site interact with the security community and stay transparent around their security issues,” said Hansen.
Claims can be diffi cult
Shane Macaulay, considered one of the top bug bounty hunters in the world, was a winner in the first CanSec West Pwn2Own contest in 2007. ( Pwn is slang meaning to own in the sense of conquering or taking over; own refers to the fact that successful hackers get to keep the laptop they hacked.)
Even though rewards programs have been around for a number of years, Macaulay said they can still be controversial.
“I think in the long run you might see a little bit more of a formalized structure in some of these systems,” he said. “Sometimes there is a little confusion over severity ( of the vulnerability), over how much it’s worth. There is still room to grow, to make it more fair for everybody.”
While it can become a fulltime occupation — and a lucrative one at that — Macaulay said he has switched to the defensive side of security.
“I like a little more stability and less stress,” he said. “When
Nobody is 100 per cent secure, but the best way to ensure you are as secure as you can be is to interact with the community.
JACOB HANSEN
CEO AND CO- FOUNDER OF CROWDCURITY
you’re constantly fighting to attack these products, it can get a little bit stressful.”
While there’s money to be made, it’s not always a simple matter of claiming it.
Last summer, a systems information expert from Palestine tried to report a security flaw to Facebook and, frustrated by a lack of response, hacked Facebook founder Mark Zuckerberg’s account. While Facebook fixed the security flaw, it didn’t pay Khalil Shreateh under its bug bounty program, arguing he broke the rules.
In another case that made headlines in the security world, a then- 17- year- old German student complained PayPal didn’t pay up when he reported a vulnerability on its website.
The teen, Robert Kugler, disclosed the vulnerability online and wrote that PayPal told him he was too young to claim a prize.
PayPal, which is owned by eBay, denied it wasn’t paying up because of the youth’s age, but said the vulnerability had already been reported. Other youths have fared better.
A 12- year- old San Jose boy was paid $ 3,000 by Mozilla for uncovering security flaws in the Firefox web browser. And a teen security researcher, known by his nickname “Pinkie Pie,” won Internet renown and $ 60,000 from Google for cracking Chrome at CanSec West’s contest in 2012.
“If you’ve got hacking skills, it’s extra income,” said Bex. io’s Constable. “For some people it’s a career.”
For companies, Constable said it’s a cost- effective way of getting experts to test security systems. “You can’t pay for 7,500 people around the world to be all hacking your site,” he said.
Outcompeting black- hats
While some companies worry discoveries could be kept secret, bug bounty proponents say that while only the first person to discover a bug gets a reward, with so many people testing, it’s often not long before others discover the same bug.
So hackers who want to exploit software glitches are unlikely to join bug bounty schemes — they’re more interested in finding software glitches that remain unknown, much like the recently publicized Heartbleed vulnerability did for two years.
Marisa Fagan, community manager at Bugcrowd Inc., said as bug bounty programs grow — with more and more security researchers searching out bugs — it will narrow the opportunities for black- hat hackers.
Bugcrowd. com, as the name suggests, crowd sources bug testing with 8,900 testers around the world.
“What’s fantastic about the bug bounty programs becoming so popular is that it really does create this race against time for the black- hat community,” she said.
“It really has put the so- called black- hat community on notice because they’re not going to be able to use the same vulnerabilities with impunity as before, at least not for long. ... Now there is a ticking clock on every vulnerability and it’s just a matter of time before the crowd finds them. We’re trying to spread the notion this is something each and every company can do.”